White House Tightens Cybersecurity Reporting Requirements

Federal CIO lays out a new directive requiring agencies to implement real-time digital monitoring of their information systems.

As the Obama administration continues its efforts to update and strengthen the federal government's defenses against cyber threats, the White House has issued new rules that will require agencies to monitor their IT systems for intrusions and vulnerabilities in real time.

A memo (PDF format) released this week by the Office of Management and Budget lays out new requirements for agencies to set up automated threat-monitoring feeds that automatically gather data from security management tools -- enabling admins to gather real-time data on attacks and other dangers.

"We are shifting the focus from old-styled, paper-based reports to real-time electronic data that feed directly and immediately into security monitoring and alert systems," Federal CIO Vivek Kundra said in a post on the White House blog.

Agencies' real-time information will also be funneled monthly to a central Web platform dubbed CyberScope.

The new directive updates the reporting requirements for federal agencies laid out in the 2002 Federal Information Security Management Act (FISMA). Federal IT managers have long balked at the costly and time-consuming FISMA provisions, which call for centralized reporting on a quarterly basis, rather than monthly. Critics have argued that FISMA has done more to create unnecessary red tape than it has to enhance information security.

Kundra singled out the State Department, which over the past six years has spent $133 million in the production of 95,000 pages of security documentation about its core IT systems, amounting to about $1,400 per page.

"As we move away from the old-style reports and into a more real-time system of security data feeds, we are implementing solutions that actually help to protect the country rather than simply generate paperwork," Kundra said.

The new reporting requirements are the result of an interagency task force formed in September 2009 to reshuffle the metrics agencies use to evaluate the security of their systems.

On the military side, Lt. Gen. Keith Alexander, the President's nominee to head the newly created Cyber Command in the Pentagon, recently came up for his confirmation hearing in the Senate, a proceeding that had long been delayed over concerns about the authority and scope of the new unit, particularly with regard to the execution of cyber attacks against hostile groups or foreign governments.

At that hearing, Alexander, who currently serves as director of the National Security Agency, reminded the Senators that critical government systems are constantly probed and threatened by a broad range of intruders.

Kundra echoed that concern in announcing the new FISMA requirements, arguing that the fast-moving nature of the threats and attacks obligates the government to take a more nimble approach.

"Without question, the threat is real, and our response must match it in intensity, security and creativity," he said.

The OMB memo directs agencies to complete their FISMA reporting through the CyberScope platform by Nov. 15. Beginning Jan. 1, 2011, agencies will be required to update CyberScope with new threat information each month.

DHS will act as the coordinating agency, offering logistical support to help IT managers with their monitoring and reporting programs, and evaluating their progress on responding to the new directive.